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Abstract 

Fixed point logics are widely used in computer science, in particular 
in artificial intelligence and concurrency. The most expressive logics 
of this type are the /i-calculus and its relatives. However, popular 
fixed point logics tend to trade expressivity for simplicity and read- 
ability, and in fact often live within the single variable fragment of the 
/.t-calculus. The family of such flat fixed point logics includes, e.g., 
CTL, the *-nesting-free fragment of PDL, and the logic of common 
knowledge. Here, we extend this notion to the generic semantic frame- 
work of coalgebraic logic, thus covering a wide range of logics beyond 
the standard /i-calculus including, e.g., flat fragments of the graded 
/i-calculus and the alternating-time /.t-calculus (such as ATL), as well 
as probabilistic and monotone fixed point logics. Our main results 
are completeness of the Kozen-Park axioniatization and a timed-out 
tableaux method that matches ExpTime upper bounds inherited from 
the coalgebraic /i-calculus but avoids using automata. 



1 Introduction 

Many of the most vi^ell-known logics in program verification, concurrency, 
and other areas of computer science and artificial intelligence can be cast 
as fixed point logics, that is, embedded into some variant of the ^u-calculus. 
Typical examples are PDL [25J where, say, the formula {a*)p ('p can be 
reached by finite iteration of o') can be expressed as the least fixed point 
fiX . py (a) X ; CTL [7], whose formula AFp ('p eventually holds on all paths') 
is just the fixed point fiX.p V OX; and the common knowledge operator C 
of epistemic logic [19], where Cp ('it is common knowledge that p') can be 
expressed as the fixed point uX. AILi ^i{P^^) with n the number of agents 
and Ki read as 'agent i knows that'. A common feature of these examples 
is that they trade off expressivity for simplicity of expression in comparison 
to the full /i-calculus. 

One of the reasons why the full //-calculus is both hard to read and 
algorithmically problematic in practice is that one has to keep track of bound 
variables. Indeed we note that the simpler logics listed above (in the case 
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of PDL, the *-nesting-free fragment) live in the single-variable fragment of 
the yu-calculus (a subfragment of the alternation-free fragment [10!), which 
is precisely what enables one to abandon variables altogether in favour of 
variable-free fixed point operators such as AF or C. We shall refer to logics 
that embed into a single- variable ^-calculus as flat fixed point logics [27] . 

Here, we study flat fixed point logics in the more general setting of coal- 
gebraic logic. Coalgebra has recently emerged as the right framework for 
a unified treatment of a wide range of modal logics with seemingly dis- 
parate semantics beyond the realm of pure relational structures. Examples 
include monotone modal logic, probabilistic modal logics [T7], graded modal 
logic [m U], and coalition logic ^23j. This level of generality is achieved 
by parametrizing the semantics over a type functor on the category of 
sets, whose coalgebras play the role of frames. Besides standard Kripke 
frames, the notion of coalgebra encompasses, e.g., Markov chains, weighted 
automata, multigraphs, neighbourhood frames, selection function frames, 
and game frames. The theory of coalgebraic modal logic has evolved quite 
rapidly, and presently includes, e.g., generic upper bounds Pspace for satis- 
fiability in next-step logics [29], and ExpTime for satisfiability under global 
assumptions in hybrid next-step logics [30J. 

In our flat coalgebraic fixed point logics one can express operators such 
as 'the coalition C of agents can maintain p forever', 'the present state is 
the root of a binary tree all whose leaves satisfy p\ or 'p is commonly be- 
lieved with reasonable certainty'. In particular, we cover the single-variable 
fragments of the graded /^-calculus [16J and the alternating-time ^-calculus 
(AMC) [1], including alternating-time temporal logic (ATL). Flat coalge- 
braic fixed point logics are fragments of coalgebraic //-calculi, and as such 
known to be decidable in ExpTime under reasonable assumptions [3]. How- 
ever, the decision procedure for the coalgebraic /i-calculus is, like the one 
for the standard /i-calculus [9j, based on automata and as such has expo- 
nential average-case run time, while tableaux methods as suggested, e.g., by 
Emerson and Halpern for CTL [5] and by Kozen for the aconjunctive frag- 
ment of the /i-calculus [14J, are expected to offer the possibility of feasible 
average-case behaviour. 

Our main results on flat coalgebraic fixed point logics, parametric both 
w.r.t. the coalgebraic branching type and the choice of flat fragment, are 

• completeness of the natural axiomatization that makes the fixed point 
definitions explicit, generalizing the well-known Kozen-Park axioma- 
tization; and 

• a construction of timed-out tableaux similar in spirit to Kozen's 
tableaux for the aconjunctive /u-calculus, 

both under mild restrictions on the form of fixed point operators. The 
completeness result generalizes results of ^27] to the level of coalgebraic logic. 
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and relies on the notion of O-adjointness [26] to prove that fixed points in 
the Lindenbaum algebra are constructive, i.e. approximable in uj steps. The 
crucial ingredient here are the one-step cutfree complete rule sets of [291 122]. 
These enable far-reaching generalizations of both the key rigidity lemma and 
the O-adjointness theorem of [27j, the latter to the effect that all uniform- 
depth modal operators are O- adjoint. The novel tableaux construction is 
instrumental in the completeness proof, and at the same time confirms the 
known ExpTiME upper bound, avoiding however the use of automata and 
thus raising hopes for efficient implementation. 

Our completeness result follows a long tradition of non-trivial complete- 
ness proofs, e.g. for PDL [13 [31], CTL 0, the aconjunctive //-calculus [H], 
and the full /i-calculus [32]. Note that all these results are independent, as 
completeness is not in general inherited by sublogics, and in fact employ 
quite different methods. Instantiating our generic results to concrete logics 
yields new results in nearly all cases that go beyond the classical relational /x- 
calculus, noting that neither [16j nor [4j cover axiomatizations. In particular, 
we obtain for the first time a completeness result and a tableau procedure 
for graded fixed point logics, i.e. fragments of the graded //-calculus, and we 
generalize the completeness of ATL [12] to arbitrary flat fragments of AMC. 

Most proofs have been recorded separately in the appendix. 

2 Flat Coalgebraic Fixed Point Logics 

We briefly recall the generic framework of coalgebraic modal logic [2H |28] , 
and define its extension with flat fixed point operators, a fragment of the 
coalgebraic /x-calculus [4]. 

The first parameter of the syntax is a (modal) similarity type A, i.e. a 
set of modal operators with associated finite arities. We shall work with 
formulas in negation normal form throughout, and therefore assume that 
every modal operator 's? € A comes with a dual operator G A of the same 
arity, where 'v' = Q?. This determines the set J^(A), or just J-, of modal 
formulas 7, 6 by the grammar 

7, 5 ::= J-\T\v\^v\^A5\j\/5 \ ^(71, . . . , 7n) 

where ^ G A is n-ary and v comes from a fixed countably infinite set V of 
variables. Negation -1, admitted in the above grammar only for variables v, 
then becomes a derived operation on all formulas in the standard way; e.g., 
-i'v'(7i, . . . , 7ri) = ^(-'7, . . . , ~'7n), and -i-iu = v. Further derived operations 
— >■, -f-)- are defined as usual. Moreover, we define the dual 7 of 7 as 7 = -170" 
where the substitution a is given by o'{v) = for all v V. We intend 
variables as place holders for arguments and parameters of formulas defining 
fixed point operators; as such, they serve only technical purposes and will 
not form part of the actual fixed point language defined below. Instead, 
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propositional atoms are incorporated into the modal similarity type A as 
nullary operators when needed (noting that some logics, such as Hennessy- 
Milner logic, do not have propositional atoms). 

The second syntactic parameter of a flat coalgebraic fixed point logic is 
a set r of modal formulas 7, where we distinguish a single fixed argument 
variable x and regard all other variables pi, . . . ,pn in 7 as parameters; we 
require that 7 is monotone in all variables, i.e. does not contain -ix (an 
essential condition for the existence of fixed points) or -ipj (a mere technical 
convenience, and not an actual restriction as one can always negate the 
actual parameter instead of the parameter variable). We require moreover 
that all 7 € r are guarded, i.e. that their argument variable x appears only 
under the scope of at least one modal operator; as shown in [32j, this is not 
an essential restriction as every |U-calculus formula is provably equivalent to a 
guarded formula. We denote substituted formulas 7[<y7i/pi; . . . ; '■Pn/Pn', i^/x] 
as 7((/?i, ...,(/?„, -(/;). The set J"n(A,r) or just of (fixed point) formulas 
ip,ip \s then defined by the grammar 

-0 ::= -L 1 T I ^p^^ \ ipVip \ 9((^i, . . . , (/?„) | fi^{Lpi, . . . ,ipn) \ b-{ipi, . . . ,ipn) 

where ^ G A is n-ary and 7 S T. The operator jj^ represents the least fixed 
point 

Jj^((/?l, ...,ipn) = flX.j{ipi,. . .,(pn,x), 

while b-{ifi, . . . , ifn) represents the greatest fixed point ux.'^^ipi, . . . , ipn, x). 
Syntactically, '^^ is an atomic operator, and occurrences of variables in 7 do 
not count as occurrences in formulas \))-y<j). We restrict the further technical 
development to unary fixed point operators, i.e. we assume that every 7 G F 
has only one parameter variable, denoted by p throughout. Similarly, we 
restrict to unary modalities ^. Both restrictions are purely in the interest 
of readability; the extension to higher arities is a mere notational issue, and 
we shall sometimes mention polyadic operators in the examples. Negation 
extends to fixed points by -^]^^{ip) = \}7y(^^p) and -^b^{ip) = \j,^{^ip). Note 
that unlike in the case of modal formulas, we have not included variables in 
the definition of fixed point formulas. A (fixed point) formula with variables 
is an expression of the form 70", where 7 is a modal formula and cr is a 
substitution of some of the variables in 7 with formulas (i.e. variables never 
appear under fixed point operators). In the following, the term formula will 
refer to fixed point formulas without variables unless variables are explicitly 
mentioned. For 7 € F, we denote the function taking a formula ip to j{(p, ip) 
by 7(95), and by 7(9^)*^ its /c-fold iteration. We assume a suitable size measure 
on formulas, and in particular that numbers (e.g. in graded or probabilistic 
operators) are coded in binary. The size of a finite set of formulas is the 
sum of the sizes of its elements. 

The logic is further parametrized semantically over the underlying class 
of systems and the interpretation of the modal operators. The former is 
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determined by the choice of a type functor T : Set — t- Set, i.e. an operation 
T that maps sets X to sets TX and functions f : X ^ Y to functions 
Tf : TX — )• TY, preserving identities and composition, and the latter by 
the choice of a predicate lifting [Q?] for each ^ E A. Here, a predicate lifting 
(for T) is a family of maps Ax : VX — t- VTX, where X ranges over all sets, 
satisfying the naturality condition 

\x{f-'[A]) = {Tf)-'[MA)] 

for all / : X — > y, ^ G VY . As we work with fixed points, we insist that all 
modal operators are monotone, i.e. [^] : 'P(Ar) — >■ V{TX) is monotone w.r.t. 
set inclusion for each ^ € A. Moreover, the assignment of predicate liftings 
must respect duality of operators: for G A, [^lx(^) = TX-P\x{X-A). 
Given these data, the role of models is played by T-coalgebras, i.e. pairs 
{X, ^) where X is a set of states and : X — )■ TX is the transition function; 
thinking of TX informally as a parametrised datatype over X, we regard ^ as 
associating with each state x a structured collection ^(x) of successor states 
and observations. E.g. for TX = VX x V{U), given a set U of propositional 
atoms, we obtain that T-coalgebras are Kripke models, as they associate 
with each state a set of successor states and a set of valid propositional 
atoms. Our main interest here is in examples beyond Kripke semantics, see 
Example 12.11 

As indicated above, the choice of predicate liftings determine the inter- 
pretation of modal operators. The semantics of a formula 93 with argument 
variable x (no other variables will ever be evaluated in unsubstituted form) is 
a subset [<^](x^)(-^) — given a T-coalgebra (AT, ^) and a set B C X. The 
semantics of formulas without variables (in particular of ft- or b-formulas) 
does not depend on B and hence will be denoted just by 
obvious clauses for Boolean operators, \x\^^x ~ ™^ 

M(^,^)(i?) = r'Rx(M(x,o(^)) 

lhiv)}(x,o = [J{B C X I i? C l7(v')l(x,o(^)}- 

The clause for tt7(v) just says that [tt7 ('/')! (x^) is the least fixed point of the 
monotone map [7('/3)](j^ : V{X) — )• V{X), and similarly |t'7('/?)](x ^) i^ the 
greatest fixed point of [7('/3)l(x^)- fix the data T, A, T etc. throughout. 

Example 2.1. 1. Kripke semantics: Fixed point extensions of the 
modal logic K have a single modal operator □, interpreted over the power- 
set functor V (which takes a set X to its powerset 'P{X)) by the predicate 
hfting [□Ix(^) = {B e V{X) \ B <Z A}. It is clear that P-coalgebras 
(X, ^ : X — > V{X)) are in 1-1 correspondence with Kripke frames, and that 
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!□] captures the usual semantics of the box operator. Multi-agent exten- 
sions are interpreted over TX = V{A x X) where A is the set of agents. CTL, 
*-nesting-free PDL, and the logic of common knowledge are flat fixed point 
logics in this setting; e.g, AU and EU are the t|-operators for p2 V {pi A Dx) 
and for p2 V {pi A Oa;), respectively. 

2. Graded fixed point logics are sublogics of the graded ii-calculus |16j . 
They have modal operators Ofc 'in more than k successors', with duals Dfc 
'in all but k successors', interpreted over the functor B that takes a set X 
to the set B{X) = X ^ uj + I oi multisets over X by [Ofclx(^) = {-B G 
B[X) I > k}. This captures the semantics of graded modalities 
over multigraphs [5j, which is equivalent to the more customary Kripke se- 
mantics ^llj w.r.t. satisfiability of fixed point formulas. In description logic, 
graded operators are called qualified number restrictions [2]. The example 
mentioned in [16], a graded fixed point formula expressing that the current 
state is the root of a finite binary tree all whose leaves satisfy p, can be 
expressed by the ft-operator for pVOia^- Similarly, the ft-operator forpVDfcX 
expresses that p holds somewhere on every infinite k + 1-ary tree starting at 
the current state. 

3. Probabilistic fixed point logics, i.e. fixed point extensions of probabilis- 
tic modal logic [17j . have modal operators Lp 'in the next step, it holds with 
probability at least p that', for p e [0, 1] fl (Q. They are interpreted over the 
functor D that maps a set X to the set of discrete probability distributions 
on X by putting |Lp]^(^) = {P £ V{X) \ PA > p}. Coalgebras for V 
are Markov chains. We can use the b-operator AGp for p A LpX to express 
formulas like AGp^iaW, stating that the system will, at any point during its 
run time, fail with a probability of less than 1 — p; a. sensible specification 
for systems that may sometimes fail but should not fail excessively often. 
In an epistemic reading of probabilities, flat probabilistic fixed point log- 
ics support, e.g., a common belief operator 'it is commonly believed with 
confidence p that'. 

4. The alternating-time fj,-calculus (AMC) [1] has modal operators {{A))Q) 
read 'coalition A has a joint strategy to enforce ... in one step', where 
a coalition is a subset of a fixed set of agents (in coalition logic [23] . 
these operators are denoted [A]). Their semantics is defined over concurrent 
game structures, and can be captured coalgebraically [29]. One of the flat 
fragments of AMC is Alternating-Time Temporal Logic (ATL) [1]. E.g., 
the ATL-operator {{A))piUp2, read 'coalition A can eventually force p2 and 
meanwhile maintain pi, is the (j-operator for p2 V {pi A {{A)) Q Fl^-t 
fixed points in AMC go considerably beyond ATL; e.g. the b-operator for 
P ''^ (0) O (()) O ^ Cp holds in all even states along any path') is not even in 
ATL* [HE]. A similar flat operator, the b-operator for {{A))0{pA{{B))0{qA 
x)), expresses that coalitions A and B can forever play ping-pong between 
p and q. 
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5. Monotone fixed point logics have a modal operator □, interpreted over 
the monotone neighbourhood functor defined by Ai{X) = {21 G V{V{X)) \ 
21 upwards closed} by means of the predicate lifting [□]j^(j4) = {21 G 
M.{X) I >1 € 21}. In multi-modal versions of this, boxes and their semantics 
are indexed, e.g. over agents, programs, or games. This is the semantic set- 
ting of logics such as concurrent PDL [24] and Parikh's game logic |20) . the 
flat fragments of which are the *-nesting-free fragments. E.g., using (7) to 
denote the game logic operator 'Angel has a strategy to enforce ... in game 
7', the operator (7^) for a *-free game 7, where x denotes demonic iteration 
(Demon chooses the number of rounds), is the b-operator for p A (7)3;. 

3 The Generic Axiomatization 

The generic semantic and syntactic framework of the previous section comes 
with a generic, parametrized deduction system, whose completeness will be 
one of our main results. We begin with the fixed part of the deduction sys- 
tem. We include full propositional reasoning, i.e. introduction of substituted 
propositional tautologies and modus ponens. Fixed points are governed by 
the obvious generalization of the Kozen-Park axiomatization: we have the 
unfolding axiom 

and the fixed-point induction rule 

for all formulas i-p^X- 

The variable part is now the axiomatization of the modal operators, 
which turns out to be completely orthogonal to the fixed point axiomati- 
zation. In fact, we can just re-use complete rule sets for the purely modal 
logic as developed in [22] . First some notation. 

Definition 3.1. We denote the set of of positive propositional formulas 
(formed using only A and V) over a set Z by Pos(Z), and the set {^a | 'v' G 
A, a G Z} by A(Z). We say that a conjunction (disjunction) is contracted if 
no conjunct (disjunct, respectively) occurs twice in it. For ip,'^ ^ Pos(Z), 
we say that (/? propositionally entails ip and write \-pL ip if (p ip is 
a propositional tautology. Similarly, <I> C Pos(Z) propositionally entails ip 
($ \-pL V) if there exist 931, . . . G ^ such that cpi A ■ ■ ■ A (pn \~pl fp- 
For ip G Pos(Z), we denote the evaluation of ip in the Boolean algebra 
V{X) under a valuation t : Z ^ T^i^) by Mxr' ^"^^ write X,t \= ip 
if [vlxr ~ ^ Pos(A(Z)), the interpretation IV'Itx.t of V' in the 

Boolean algebra V{TX) under r is the inductive extension of the assignment 
¥^{z)hx,r = mxT{z). We write TX,r ^ V if Wrx.r = TX. 
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We can now give the formal definition of the modal rule format, where due 
to monotonicity of the modal operators we can restrict to monotone rules 
following To understand the following, note that every rule of the form 
(/j/x, which says that if ip is provable then x is provable, comes with a dual 
tableau rule xlW saying that if x is consistent then Tp is consistent. 

Definition 3.2. A (monotone one-step) rule R = p/x consists of a premise 
(p G Pos(y) and a conclusion x which is a disjunction over A{V) (recall that 
V is the set of variables), where every variable appears at most once in p 
and every variable in p appears also in x- The rule R is one-step sound 
if whenever X,t \= p for a valuation r : y — )• Vi^X), then TX,t \= x- 
Given a set TZ of one-step rules, we say that a conjunction -0 over A{V) is 
one-step cut-free r-consistent for a set X and t : V ^ ^(^) if whenever 
ip/x ^ and a : V ^ V is a. renaming such that x'^ is contracted and 
"ip ^PL Xcr (note that propositional entailment between conjunctions is just 
reverse containment), then 7^ 0. We say that TZ is one-step cutfree 

complete if tXt ^ whenever ip is one-step cut-free r-consistent. A 
set ^I' C A{V) is one-step cut-free r-consistent if for all ipi,...,ipn S ^I'l 
■01 A ■ ■ ■ A ■0n is one-step cut-free r-consistent. 

(In the terminology of ^29j, one-step cutfree complete rule sets correspond 
to one-step complete rule sets which are closed under contraction and res- 
olution.) As the last parameter of the framework, we fix from now on a 
one-step cutfree complete set TZ of one-step sound monotone one-step rules, 
and denote the arising logic by C^. Rules p/ip £ TZ are applied in substituted 
form, i.e for every substitution a, we may conclude tpa from pa. It is easy to 
see that the arising parametrized deduction system is sound. As usual, we 
write \- (p if (p is provable, and ip \- ijj ii \- p . We say that (p is consistent 
if -i</3 is not provable. It has been shown that one-step cutfree complete rule 
sets engender complete cut-free sequent systems for the purely modal logic, 
and suitable rule systems have been exhibited for all logics of Example 12.11 
and many more [29\ 122]. E.g., a one-step cutfree complete set of monotone 
one-step rules for K is 

(n>0). 



Vr=i Oai V ab 

As a more complex example, we recall the one-step cutfree complete rule 
schema for graded operators [29], reformulated to fit the monotone rule 
format: 

E"=i -rihaj) + EjLi Sjbj > 

where n + m> 1 and ri, r„, si, ...,«„> 0, subject to the side condition 
Y17=i''"ii^i + 1) — + Sj^i'^i^j- Here, the premise represents a linear 
inequality between the characteristic functions of the Oj and the bj, i.e. 
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count Sj when bj holds and — rj when Oj does not hold; this is easily seen to 
be expressible by a positive propositional formula (cf. |29j). 

4 Constructive Fixed Points 

Our next aim is to prove that the Lindenbaum algebra of £j is constructive, 
i.e. its fixed points can be iteratively approximated in co steps. In terms 
of consistency of formulas, this means that whenever a formula of the form 
^y{(p) A ijj IS consistent, then already A ^/^ is consistent for some 

i > 0; this fact plays a pivotal role in our tableau model construction. We 
begin by introducing the requisite algebraic tools. 

We define a K-modal algebra A as a Boolean algebra extended with a 
monotone operation '\)^ : A ^ A for each ^ G A. In such an algebra, every 
modal formula ip{vi, . . . ,Vn) is naturally interpreted as an operation (^"^ : 
A^ A. Now we say that A validates a rule R = ip/if) \i 'il)^{ai, . . . , a„) = T 
whenever ip^{ai, . . . , o^) = T. A ^-algebra is a A-algebra A that is endowed 
with operations ft^ and for each 7 G F such that for each a € A, (l^ (o) is 
the least fixed point of the map 7"^ (a, —): A ^ A and by (a) is the greatest 
fixed point of 7^(0, — ) (in particular, these fixed points exist in a jj-algebra). 
An C^-algebra is a ft-algebra A that validates every rule R of our fixed set 
IZ of one-step rules. In the tradition of algebraic logic, the class of these 
algebras provides an algebraic encoding of the proof system. 

More specifically, we will be interested in the Lindenbaum algebra A{C<^) 
of our logic. As usual, this algebra is defined as the quotient of the formula 
algebra (term algebra, or absolutely free algebra) under the congruence re- 
lation = of provable equivalence (that is, = -0 iff ^ "0 is derivable). 
Observe that in a natural way, every sentence is interpreted as the ele- 
ment (^^(^tt) = [(^] of this algebra; we will mostly write Lp rather than [99]. 
The Kozen-Park axiomatization ensures that A{C\^) actually is a C^-algebra, 
and then of course, the initial £jj-algebra. 

In these terms, our target property is phrased as follows. 

Definition 4.1. We say that 7 € F is constructive if 

i<u} 

in the Lindenbaum algebra ^(£jj), i.e. if '^'y{'-p) \~ ip whenever 7((/?)*(_L) h 
for all i < uj. If all 7 € F are constructive, then A{C'^) is constructive. 

We explicitly state the dual formulation of this property: 

Lemma 4.2. Let 7 be constructive. If 'i,'y{ip) A ip is consistent, then 
7((/?)*(_L) Atp is consistent for some i < uj. 
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The central tool for proving constructivity, introduced in [26] and featuring 
prominently in [27J, is the notion of a finitary O-adjoint: 

Definition 4.3. We say that 7 is an O-adjoint if for all 99, G J^j, there 
exists a finite set G^(^)('i/') of formulas such that for all p & T^, 

7(95, /o) h V iff /5 ^ X for some x G G^(<^)(V'), 

i.e. j{ip,p) < Tp in A{C^) iff p < x for some x £ C!^(^^^{ip). Moreover, 7 is a 
finitary O-adjoint if can be chosen such that for every ip, the closure 

of ip under G^(,^) , i.e. the smallest set A of formulas such that x S .4 implies 
G-y{^){x) ^ -4, is finite. 

Lemma 4.4. /^t*/ Every finitary O-adjoint is constructive. 

The first step in the proof of O-adjointness for a large class of operators is 
a vast generalization of the rigidity lemma of |26] : 

Lemma 4.5 (Rigidity). Let ip be a disjunction over A{A(C^)). Then Tp is 
provable iff there exists a one- step rule ^pjx and a substitution a such that 
ipa is provable, x^" is contracted, and xo" I~pl ^■ 

The proof relies on the one-point extension of an algebra (so called because 
it mimics the addition of a new root point in a coalgebraic model on the 
algebraic side) , in generalization of a similar construction in |27j : 

Let A be a countable >C(j-algebra, let S{A) be the set of ultrafilters of A, 
fix a surjective map o" : y — )• A, and let a conjunction p over A(l/) be one- 
step ei-consistent ioi : V ^ V{S{A)) given by 9{v) = {« G S{A) \ a{v) G 
u\. We construct the one-point extension Ap, an £(j-algebra emulating the 
addition of a new point whose successor structure is described by p, as 
follows. To begin, we can find a maximally one-step ^-consistent set $ C 
A(y) such that (^\-pL p. As we emulate adding a single point, the carrier 
of A^ \s Ax 2. We make A^ into a A-modal algebra by putting 

9^''(a,d) = (<:)'^(a),9^(a)), 

where : A ^ 2 Is defined by (^^(a) = T iff G ^a. (Thus, ^^'(0,^) 
is independent of d, in agreement with the intuition that the interpretation 
of modal operators depends only on the successor structure of the current 
state, not on the state itself.) In particular, this implies that per > _L in AP. 

Lemma 4.6. The algebra AP is an C^-algebra. 

In consequence of the fact that ^(>Cjj) is the initial £j-algebra, we thus have 

Lemma 4.7. Let a : V A(C^) be surjective. If a conjunction p over 
A(J^jj) is one-step 9 -consistent for 6{v) = {li G S[A{C^)) \ a{v) G u}, then p 
is consistent, i.e. p > A- in A{C^). 
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From Lemma 14.71 one easily proves Lemma 14.51 using the fact that every 
consistent formula is contained in some ultrafilter of A{Cf^). 

In a nutshell, rigidity enables us to prove O-adjointness of all (monotone) 
modal operators, and even more generally all modal formulas where the 
argument variable x occurs at uniform depth (such as n\()xA()Ox). Formally: 

Definition 4.8. A formula 99 with variables is uniform of depth k if every 
occurrence of the fixed argument variable x in if is in the scope of exactly 
k modal operators (including the case that x does not occur in 93; recall 
moreover that variables never occur under fixed point operators). Moreover, 
ip is uniform if if is uniform of depth A: for some k; the minimal such k is 
the depth of uniformity of if. 

Finitaryness of O-adjoints will use the standard Fischer-Ladner closure: 

Definition 4.9. A set S of formulas is Fischer-Ladner closed if S is 
closed under sub formulas and negation, and whenever *'y(v') € S, then 
j{ip,-k^{ip)) G S for ★ € {tJib}. We denote the Fischer-Ladner closure of 
a formula ip by FL{ip). 

Lemma 4.10. /i^/ The set FL{ip) is finite and of polynomial size in ip. 

The further development revolves largely around admissible rules. Formally, 
these are rules (p/tp where ip and ip are formulas with variables vi, . . . ,Vn 
such that A{C^) validates ip/ip, i.e. whenever h ip{pi, . . . , pn) for formulas 
pi,...,Pn then h Tpipi,. . .,Pn)- 

Lemma 4.11. Let ip he uniform, and put 

G = {ip ^ Pos(FL(^)) I ip/ip admissible, ip uniform of depth 0}. 

Then we have that for all p, ip{p) is provable iff ip{p) is provable for some 
ipeG. 

sketch. Induction over the depth of uniformity, with trivial base case, using 
rigidity (Lemma 14. 5p in the inductive step. □ □ 

Theorem 4.12 (Finitary O-adjointness). If the formula ip with argument 
variable x is monotone and uniform in x, then the operation ipj'^^^i^ : 
A{Cf^) — >■ A(Cf^) induced by ip is a finitary O-adjoint. 

sketch. For E Jjj , we have to construct a set G^ {ip) of formulas such that 
for all p G J^d, ip{p) h iff /9 h X for some x ^ G^{ip). Now ip' := ip ^ ip \s 
uniform. Let G C Pos(-FL(^')) be as in Lemma I4.1H applied to ip' , and let 
Go be a finite set of representatives of G modulo propositional equivalence. 
Then 

Gr^iv) = {x(T) I X e Go, h x(T) V x(±)} 
does the job. □ □ 
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Using uniform formulas as a base, we can now exploit some known closure 
properties of finitary O-adjoints [26]. 

Definition 4.13. The set of admissible modal formulas is the closure of the 
set of monotone uniform modal formulas in x under disjunction, conjunction 
with modal formulas not containing x, and substitution for the argument 
variable, the latter in the sense that if 7 and 6 are admissible, then ^(6) is 
admissible. 

Corollary 4.14. Ifj(^T is admissible, then ^ is a finitary O-adjoint, and 
hence constructive. 

Prom now on, we require that every 7 G F is admissible, and hence ^(>Cjj) 
is constructive. All fixed point operators mentioned in Example 12.11 are 
admissible, in fact uniform. 

5 The Tableau Construction 

We proceed to describe a construction of timed-out tableaux for consistent 
formulas, which we shall then use as carrier sets for coalgebraic models. 
(Note that in coalgebraic logics, tableaux, being only relational structures, 
cannot directly serve as models.) Our time-outs are related to Kozen's fi- 
counters [14] but are integrated into the formulas appearing in the tableau 
(rather than maintained independently in the construction of the tableau), 
and in particular govern the way modal successor nodes are generated. The 
use of time-outs is justified by constructivity of fixed point operators as 
proved in the previous section. In the following, we fix a finite Fischer- 
Ladner closed set S. 

Definition 5.1. The set of timed-out formulas tp,ip is generated by the 
grammar 

ip,il) ::= L\T \ip hilj\ipy '4}\^ip\ 'i,.y[pY I by(p) (k G w -M, p G £||) 

where 7 G F, 'v' G A, subject to the restriction that 93 is a timed-out formula 
only in case ip has at most one subformula of the form tt7(x)'^ with k < co 
(which however may occur any number of times), and for this tt7(x)'^) 

- ^-yix)^ is not a subformula of ip; and 

- whenever ]i,s{p)^ is a subformula of ip, then ]^sip) is a subformula of x- 
In this case, we define the time-out T(ip) of ip to be k, and T{(p) = lo otherwise 
(i.e. if ip does not contain any subformula of the form \)t-y{x)'^ with k < 
oj). The time-out gives the number of steps left until satisfaction of the 
eventuality tt7(x)i with time-out u signifying an unspecified number of steps 
(note that time-outs are never associated with b-formulas). 
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We define two translations s and t of timed-out formulas into iZjj, given 
by commutation with Boolean and modal operators, (t>y(p))* = (t>y(p))* = 
\>-{p), and 

ihipyy = lipn^) (^<^)- 

Thus, s unfolds fixed points as prescribed by their time-outs, and t just 
removes time-outs. Both translations extend to sets of formulas. For timed- 
out formulas ip, we put ip ^ tp iS ip^ = tp^ and T{ip) < T{ip). That \s, 'p <ip 
iff if is the same as ■0 up to possible decrease of the time-out. Given a set 
S of formulas, a timed-out formula (/9 is a timed-out Ti-formula if 99* G S. 

The point of the definition of timed-out formulas is that every standard 
formula ip has at most one candidate subformula at which one can insert a 
time-out, namely the greatest element under the subformula ordering among 
the subformulas of ^p which are [j-formulas, if such a greatest element exists 
and is not under the scope of a b-operator. This enables the simple definition 
of ^, which trivially has the following property. 

Lemma 5.2. For every formula <~p, the preimage of ip under the translation 
t is linearly ordered by :<. 

At the same time, timed-out formulas are stable under unfolding: 

Lemma 5.3. If '^^/{ip)'^ is a timed- out formula, then so is j{ip,'^^{ip)'^). 

States of the tableau will be labelled by sets of formulas satisfying a timed- 
out version of the usual expandedness requirement. 

Definition 5.4. A timed-out T,-atom is a maximal set A of timed-out S- 
formulas such that (i) the translation t is injective on A, and (ii) A^ is 
consistent. Here, maximality is w.r.t. Q where A Q B iS for all ip (z A, 
there exists a (necessarily unique) ip' (z B such that ip' ^ (p; intuitively: B 
contains A up to possible decrease of time-outs. We write A for the closure 
of A under ^ (i.e. if ip A and (p ^ ip' then ip' A). 

The following lemma uses the fact that finite product orderings {00 
are well-quasi-orders, and in particular have only finite anti-chains |18) . 

Lemma 5.5. The set of timed-out Ti-atoms is finite. 

Lemma 5.6 (Timed-out Lindenbaum lemma). For every set Aq of timed- 
out Ti- formulas such that Aq is consistent and t is injective on Aq, there 
exists a timed- out Ti-atom A such that Aq Q A. 

The proof of the truth lemma crucially depends on a set of Hintikka-like 
properties: 
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Lemma 5.7. If A is a timed-out Ti-atom, then 



4 



2. 



3. 



1 



if (f Alp (z A then ip £ A and ip € A; 
if ipV ip £ A then (p £ A or ip £ A; 
Li A; 

if %'^{}p)'^ € A, then k < oo; 



5. 



6. 



(^Aiff^{ip4^{p,Y-^)eA; 
\>^{<p) G A iff-f{^,\)^{ip)) G A. 



We proceed to define the actual tableaux, which relate timed-out atoms in a 
way that reflects application of dual rules x/^ of modal rules ip/x G while 
fixed points are in a sense taken care of by the timed-out atoms themselves. 

Definition 5.8. A demand of a S-atom j4 is a formula p = (pa, where 
(p/x £ 7^ is a rule with dual rule x/'^ ^-iid o" is a substitution such that 
X<7 is contracted and A hpi xa. A timed-out T,-tableau {T,R,l) consists of 
a finite graph (T, R) and a labelling / of the nodes n € T with timed-out 
S-atoms l{n) such that for every demand p of Z(n), there exists uRm such 
that l[m) \-pL p. The tableau {T,R,l) is a timed-out 'S-tableau for ip £ T, 
if {ip'Y = f for some ip' £ l{n),n G T. A coalgebra structure ^ on T is 
coherent if for every n and every ^(/? € S, 



where n{ip) = {m G T | nRm, ip G l{m)}. 

The link between timed-out tableaux and coalgebraic models is provided by 
the following lemma, whose proof relies on one-step cutfree completeness of 
the rule set. 

Lemma 5.9 (Model existence lemma). For every timed- out T, -tableau 
{T,R,l), there exists a coherent coalgebra structure on T- 

Lemma 5.10 (Truth lemma). If {T, R,l) is a timed-out Y^-tableau and is 
a coherent coalgebra structure on T, then n G Iv^lc^g) whenever ip G l{n). 

sketch. Induction over timed-out S-formulas ip using the lexicographic prod- 
uct of the subterm ordering on and ^ as the induction measure, and with 
the inductive hypothesis strengthened to apply also to (p € l{n). Boolean 
cases are by Lemma 15.7) the step for modal operators is by coherence. The 
case for b-operators is by coinduction. For ip = '^^{ipY, we have k < u 
and ^{ipit'yi'^Y^'^) ^ K'^) by Lemma 15.71 Then prove by a further in- 
duction over subformulas (5 of 7 that n ^(t,0 {^{'4^A'^{i^Y~'^)Y whenever 
^{4'A'y{'^Y~^) ^ l{n)- Here, the case for the parameter variable x is dis- 
charged by the inductive hypothesis applied to '^^{ipY~^. □ □ 



i{n) G P\n{ip) iff G l{n) 
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The previous two lemmas imply that every formula that has a timed-out 
tableau is satisfiable. The following lemma provides the link to consistency. 

Lemma 5.11. For any consistent ip £ there is a finite timed-out S- 
tableau. 

In summary, we have proved completeness of the Kozen-Park axiomatiza- 
tion: 

Theorem 5.12 (Completeness). IfT is admissible andTZ is one-step cutfree 
complete, then the is complete over finite models. 

This result applies to all flat fixed point logics of Example 12.11 including all 
admissible flat fragments of AMC and the graded ^u-calculus. 

6 Complexity 

Next we analyse the algorithmic aspects of satisfiability checking. This 
analysis is independent of the completeness result from Section [S] (except 
that completeness tells us that satisfiability checking is equivalent to con- 
sistency checking) but uses the same model construction. The complexity 
of the satisfiability problem as such is known: under additional conditions 
that we shall use below as well, it has been shown that satisfiability in the 
coalgebraic ^-calculus is in ExpTime ^ (and therefore typically ExpTime- 
complete, with hardness inherited from the standard //-calculus). However, 
like known decision procedures for the standard //-calculus, the algorithm 
in [3] uses automata-based methods and as such will exhibit exponential 
average-case behaviour, while a simple tableau method such as the one de- 
veloped in Section [5] offers the possibility of feasible average-case behaviour 
using bottom-up construction of tableaux. 

What is missing technically from the tableau construction of Section [5] 
with a view to complexity bounds is a bound on the time-outs. While 
we are confident that this can be proved directly using the O-adjointness 
method (e.g. it is easy to show in this way that in Lemma 14.21 ^ can be 
exponentially bounded in ^■y{(p) A ip), this is not actually necessary given 
that it has already been proved in [4j that the coalgebraic /U-calculus has 
the exponential model property. This implies immediately that time-outs 
can be exponentially bounded, so that tableaux are at most exponentially 
large. The key contribution of our tableaux construction here is to make this 
straightforward idea (which is similar in spirit to, e.g., Kozen's tableaux for 
the aconjunctive fragment of the /i-calculus ^4j) work in a way that handles 
time-outs economically and consistently. 

The size bound on tableaux alone does not yet imply an ExpTime 
bound; however, we can obtain such a bound by using the coalgebraic gen- 
eralization of the global caching method in exactly the same way as done 
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in [13] for coalgebraic modal logic with global assumptions. To this end, we 
need to assume, as in [l3l|30], that our set TZ of one-step rules is ExpTime- 
tractable, i.e. that there exists a coding of the rules such that, up to proposi- 
tional equivalence, all demands of a conjunction over A(J"n) can be generated 
by rules with codes of polynomially bounded size, and such that validity of 
codes, matching of rule codes for ip/x & TZ to conjunctions ip over A(J^n) 
(in the sense of finding a such that xc'" is contracted and tp \-pL xc), and 
membership of disjunctions in a CNF of a rule premise are all decidable in 
ExpTime. Summing up, 

iflZ is ExpTiME-tractable, then global caching decides existence 
of tableaux for in ExpTiME. 

Global caching will typically avoid full expansion of tableaux, and provides a 
handle to achieve feasible average-case performance using suitable heuristics. 

7 Conclusions 

We have raised the theory of flat modal fixed point logics [27j to the level 
of generality of coalgebraic logic. Specifically, we have given a Kozen-Park 
style axiomatization for fixed point operators, and we have shown this ax- 
iomatization to be sound and complete under the conditions that (i) the 
defining formulas of the fixed point operators satisfy a mild syntactic crite- 
rion, and (ii) the coalgebraic base logic is axiomatized by a one-step cutfree 
complete rule set. This result is a wide generalization with respect to the 
case of relational semantics, and covers, e.g., natural fixed point extensions 
of probabilistic modal logic and monotone modal logic. Most notably, we 
prove completeness of fiat fragments of the graded /i-calculus |16) . to our 
knowledge the first completeness result for any graded fixed point logic, 
and we generalize completeness of alternating-time temporal logic [12] to 
arbitrary fiat fragments of the alternating-time //-calculus [T]. 

A core technical point in the proof was to show that essentially all mono- 
tone modal operators (including nested ones like □□, as long as the nesting 
depth is uniform) are finitary O-adjoints in the sense of [26], and hence 
induce constructive fixed point operators that can be approximated in cj 
steps. This has enabled a model construction using tableaux with explicit 
time-outs for least fixed point formulas in the spirit of |14] . which relies on a 
judicious definition of timed-out formula. As a byproduct of this construc- 
tion, we obtain an optimal (i.e. ExpTime) tableau calculus which paves the 
way for efficient implementations of coalgebraic flat fixed point logics, e.g. 
in the framework of the Coalgebraic Logic Satisfiability Solver CoLoSS [3]. 

Remaining open problems include the extension of the completeness re- 
sult to larger fragments of the coalgebraic /t-calculus beyond the single vari- 
able fragment covered here, first and foremost the alternation-free fragment. 
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and eventually the full coalgebraic jU-calculus. Similarly, there is the per- 
spective to extend our tableau construction to at least the alternation-free 
fragment. A further direction for future research includes the development 
of generic coalgebraic model checking techniques. 
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A Appendix: Proofs 



Proof of Lemma 14.61 

The proof that A'' is a ^-algebra is as in [23 , using Bekic's theorem. It 
remains to prove that vahdates the one-step rules in TZ. The first com- 
ponent of AP behaves just hke A, so that we have to verify the rules only 
on the second component, 2. That is, whenever we have a one-step rule 
x/V' £ and a valuation t : V A^ such that x''" = T in we have to 
prove that tt2^t = T, where 7r2 : ^4^* ^ 2 is the projection. Since depends 
only on vr^r, we thus have to prove that whenever we have t : V A such 
that X''" = T in A, the interpretation of ipT in 2 is T, where the interpreta- 
tion is determined by means of the and the Boolean algebra structure of 
2. Now if XT = T, then ip propositionally entails ^pT by one-step consistency 
of ip, and the claim follows. □ 

Proof of the Rigidity Lemma (Lemma 14. 5|) 

We prove the dual statement: Whenever ip is a conjunction over A(J-jj) such 
that for all rules f/x & and all substitutions a such that ijj \-pL X<7, Tpa 
is consistent, then V' is consistent. By Lemma 14.71 it suffices to prove that 
tp is one-step cutfree ^-consistent for 9{v) = {u E S{A{C^)) \ a{v) G u}. 
Thus, let 93/x G and let a : V ^ V he such that x^ is contracted and 
^PL Xf. We have to show that g ^- By assumption, ipa 

is consistent, so that there exists u € S{A{C^)) with ipa G u, and hence 
u S g using the fact that u is an ultrafilter. □ 

Proof of Lemma 14.111 

'If holds by construction. We prove 'only if by induction over the depth of 
uniformity, with trivial base case. Thus, let ip be provable and uniform of 
depth A; > 0. By applying propositional rules and unfolding (guarded) fixed 
points (where both types of transformations remain within Pos(FL('0))), 
we can reduce to the case that ■0 is a disjunction over A^FL^tp)). By 
Lemma 14.51 we have an admissible rule x/V' such that x(p) is provable 
and X G Pos{FL{7p)) is uniform of depth k — 1. By the inductive assump- 
tion, there exists tp G Pos{FL{x)) C Pos{FL{'ip)) such that (p{p) is provable 
and the rule ip/x is admissible, where the second inclusion follows from 
X G Pos{FL{ip)). We are done by noting that (p/^ is admissible. □ 

Proof of the finitary O-adjointness theorem (Theorem I4.12p 

We need an easy lemma: 

Lemma A.l (Variable elimination). Let <p/^p be an admissible rule, where 
Ip does not contain the variable v and v does not occur under the scope of 
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any modal or fixed point operators in ip. Then 



{ip[T/v]Vip[±/v])/i; 
is admissible. □ 

The proof of Theorem 14.121 then proceeds as fohows. 

Let 99 G J^jj. We have to construct a set G^{ip) of formulas such that for 
all /9 G Jjj, iIj{p) h 99 iff p h X for some x ^ G^{ip). 

Then ifj' := ij) ^ (p \s uniform (as does not contain x). Let G C 
Pos(FL(^')) be as in Lemma 14.111 applied to V'', and let Go be a finite set 
of representatives of G modulo propositional equivalence. Then put 

G^M = {x(T) I X e Go, h x(T) V x(^)}. 

Now let p h x(T) for some x S Go such that x(T) V x(^) is provable. To 
show that V'(p) I" it suffices by construction of Go and monotonicity of ifj 
to prove that x(o) /\{p ^ a) is provable for some formula a: then it follows 
that (V'(a) — 95) A (/9 — )• a) is provable, and hence that ip{p) if is provable. 
Since x A — )• x) is uniform of depth 0, existence of such an a is by simple 
propositional reasoning equivalent to provability of 

X(T) V(-pAxa)), 

which is equivalent to /? — > x(T) A (x(-L) V x(T)) and hence provable by 
assumption. 

Conversely, let tp{p) h (p. Then there exists x £ Cq such that x{p) is 
provable. By monotonicity of ip, the rule (x — ?> y) A xiu)/'^' is admissible. 
Since x is uniform of depth 0, eliminating y from the premise of this rule 
according to Lemma I A . 1 1 yields an admissible rule 

(-xAxW) Vxm/V'' (*) 

so the formula x'i^) '■= ~^ xi^)) /\ (x(-L) V x(T)), being propositionally 
equivalent to the premise of (*), also belongs to G. Because x is uniform of 
depth 0, provability of x(p) implies provability of x'{p)^ which is what we 
had to show in view of the definition of G^{ip). 

This proves that ip^^^^^ is O-adjoint. From the above description of 
G^, one sees immediately that ip^^^i^ is in fact a finitary O-adjoint, as 
Pos(FL(^')) is closed under G^. □ 

Proof of Corollary 14.141 

The set of finitary O-adjoints is closed under joins, meets with constants, 
and composition ^26j. □ 
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Proof of Lemma 15.31 

As is a (standard) formula, it is clear that ^{ip, '^^{'p)'^) cannot contain for- 
mulas of the form ^s{p)^ with A < a; other than ^-^{ipY . By well-foundedness 
of the subformula relation, 7((^, cannot contain {[^(y?)'^. Finally, 

the only way jj-subformulas can arise in ^{ip^'^^{ip)'^) is as subformulas of 

Proof of Lemma 15.51 

As S is finite, it suffices to show that for CCS and for 21 the set of timed- 
out S-atoms A such that ^* = C, 21 is finite. By maximality, timed-out 
atoms A and B induce incomparable tuples of time-outs when A* = S*, 
i.e. 21 induces an antichain in a finite power (w + 1)'^ of the well-ordering 
uj + 1. It follows from the theory of well- quasi- orders that {oj + 1)^ is a 
well-quasi-order, which means in particular that it does not have infinite 
anti-chains 118) : hence, 2t is finite. □ 



Proof of Lemma 15.71 

\^ li (p f\ tp ^ A, then {A'Y is consistent for A' := AU By maximality 
of A, it follows that t is not injective on A' ^ i.e. there is G ^ such that 
((/?')* = Again by maximality and Lemma [521 ^ V) ^'^d hence if ^ A. 

[21- If V V' G ^, then either {A U {if})" or {A U {V'})'* is consistent; in 
both cases, proceed as for[TJ 

O- Clear. 

Immediate from Lemma 14.21 and maximality of A. 
Both formulas have greatest ft-subformula tiilv')) ^^^d their s- 
translations are syntactically equal. Therefore if, e.g., '^^{ipY G A, then 
{A'Y, where A' = AVJ {7(9?, (17(9')''"^)}, is consistent. By maximality of 
A^ it follows that the translation t does not remain injective on A' , i.e. we 
have X* = (7(¥'j for some x £ ^- Again by maximality of A and 

Lemma [5^2] . we must have x ^ l{'^A'y{^Y~^)i so that ^{(p,'^^{(pY~^) & A. 
Similarly, we show that 'y{y^,'A-y{^)'^~^) € A implies '!^'y{^Y ^ ^- Maximality 
of A then yields the same implications with A replaced by A. 

Similar to El □ 

Proof of the timed-out Lindenbaum lemma (Lemma 15. 6}) 

Let pred(S) denote the set of timed-out S-formulas. The set 

{A C pred(S) | A^ consistent, t injective on A,Ao C A} 

is finite, and therefore has a maximal element A, which is clearly a S- 
atom. □ 
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Proof of the model existence lemma (Lemma 15. 9p 

Analogous to Theorem 4.10 of [29], avoiding the unnecessary induction over 
the depth of dags. □ 



Proof of the truth lemma (Lemma I5.10p 

Induction over timed-out S-formulas ^ using the lexicographic product of 
the subterm ordering on with ^ as the induction measure. We note that 
the inductive hypothesis can be strengthened to apply also to E Kn), as 
if^ \= {(p'Y in case 99 ^ if' . The case = T is trivial. The steps for _L, A, 
and V are taken care of by Lemma 15.71 The steps for modal operators are 
by coherence. 

Next, we discharge the case (p = By Lemma 15.71 we have 

l{'4'A'y{'4')'^~^) £ l{n). We prove by a further induction on 6 that 
for all subformulas 5 of 7, S{il^,]\y{ip)'^~^) € l{n) implies that n ^(7-,^) 
{5{'ip,]^^{ip)'^~^))^ , where we write n |={r,^) ^ n G ^(t-^)- The case 
for the parameter variable is discharged by the inductive hypothesis applied 
to ip, as ^* is a proper subterm of (^*, while the case for the argument vari- 
able is discharged by the inductive hypothesis applied to ])i'y{ip)'^~^ ^ ]\^{Tp)'^. 
The cases for Boolean operations and modal operators are as in the outer 
induction. This finishes the inner induction, so that n \=(t,0 7(^i P(i''P)'^~^) 
and hence n \={t,0 'A-yi''^)'^- 

Finally, the case if = b-y{ip) is discharged by coinduction. For /? G S, we 
put T{p) = {n € T \ p & ^(^)}- As |b7(V')l(7- is a greatest fixed point, it 
suffices to prove that T(b^(V')) is a postfixed point of 7, i.e. 

T{b,m c bmmKim- (i) 

To begin, we prove by induction over 6 that for all subformulas 5 of 7 and 
ah X e 5], 

mmnx)) = n6{i^,x))- (2) 

The cases for ^, T, and the argument variable x are clear. The case for the 
parameter variable p is discharged by the outer inductive hypothesis applied 
to V'- The cases for A and V are by Lemma 15.71 e.g., we have 



[(5v6)(v)i(r(x)) = I5(V')l(r(x))u[e(v)i(r(x)) 
= r(6(v^,x))ur(5(v,x)) 
= r(e(^,x) V,5(V,x)) 

= r((eV5)(V,x)) 

using the inner inductive hypothesis in the second step and Lemma 15.71 in 
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the third. Finally, the case for modal operators is by coherence: we have 

pm}inx)) = r'pwmnx) 

= r(w(v,x)) 

where the second step is by the inner inductive hypothesis and the third by 
coherence. 

By ([2]), we reduce our goal ([T]) to 

r(b^M) cr(7(V',b7(V'))), 

which follows by Lemma 15.71 □ 



Proof of Lemma 15.111 

Take T to be the set of all timed-out S-atoms, which is finite by Lemma [531 
with the labelling function / being identity, and take R to be the universal 
relation R = T x T- By the timed-out Lindenbaum lemma, there is some 
timed-out S-atom A such that ip' A, where ip' is converted into a timed- 
out formula by inserting time-outs uj. Since by construction, every demand 
of a consistent formula is consistent, we then have a timed-out S-tableau 
for ip. □ 



Proof of the completeness theorem (Theorem I5.12j) 

We have to show that every consistent formula (p is satisfiable. This follows 
immediately from Lemma 15.111 the model existence lemma (Lemma 15. 9p , 
and the truth lemma [5.101 □ 
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